Yahoo has patched a hole in its web e-mail service which enables hackers to run malicious computer scripts on computers which use Microsoft's Internet Explorer web browser to check web e-mail accounts.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

The company applied a fix for the vulnerability shortly after security company GreyMagic Software published an advisory warning about the problem, which also affected Microsoft's Hotmail e-mail service.

However, the filtering, combined with an internet Explorer feature used to process extensions to HTML called HTML + Time (Timed Interactive Multimedia Extensions), made it possible to inject malicious script into incoming e-mail messages.

The script would be run when the web e-mail message was opened and could be used to exploit the machine on which the web mail was being read. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account when Explorer was used to check the web mail account for the exploits to work.

"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," said Mary Osako, senior director of communications at Yahoo.

Microsoft was informed on 11 March and patched its Hotmail service before the vulnerability was disclosed. However, security researchers at GreyMagic were unable to reach Yahoo.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy